`ipxe` build broke after https://github.com/NixOS/nixpkgs/pull/210004
where we started dropping default libc include path and switched to
`-idirafter` way of specifying libc headers.
Unfortunately the way it's implemented it injects `-idirafter` after
user's flags, not before. That allows users to inject their paths before
libc include paths, not after (as it would notmally happen).
The change works it around for `ipxe` by pulling `-idirafter` libc flags
before user's flags.
iPXE does not make stable releases[1]. The tag we were using was an
anomoly[2], and is from 2020.
The geniso script has been replaced with a generic genfsimg script
that works differently. There are no longer variables we can set to
tell it where to find isolinux.bin or ldlinux.c32, so we have to patch
the script. It'll look in the same place for both files.
The --preserve=mode modification doesn't seem to be necessary any more
— when it was introduced in 4d7bea7e5e ("ipxe: fix ISO build"), it
was required to make a working ISO with an embedded script. But my
ISO with an embedded script now works fine without that change.
[1]: https://github.com/ipxe/ipxe/discussions/544
[2]: https://github.com/ipxe/ipxe/discussions/544#discussioncomment-1894506
For example BANNER_TIMEOUT can be overriden like:
```
ipxe.overrideArgs(old: {
enableOptions = old.enableOptions ++ [ "BANNER_TIMEOUT 100" ];
});
```
Signed-off-by: Arthur Gautier <baloo@superbaloo.net>
According to https://repology.org/repository/nix_unstable/problems, we have a
lot of packages that have http links that redirect to https as their homepage.
This commit updates all these packages to use the https links as their
homepage.
The following script was used to make these updates:
```
curl https://repology.org/api/v1/repository/nix_unstable/problems \
| jq '.[] | .problem' -r \
| rg 'Homepage link "(.+)" is a permanent redirect to "(.+)" and should be updated' --replace 's@$1@$2@' \
| sort | uniq > script.sed
find -name '*.nix' | xargs -P4 -- sed -f script.sed -i
```
imgtrust is needed to run netboot.xyz scripts.
ping is useful for testing network settings.
Also add HTTP option for clarity (it's already being built).
gcc5 enables additional warnings, causing the build to fail with
-Werror. The build could be fixed by specifically disabling errors
for `discarded-array-qualifiers` and `logical-not-parentheses` warnings,
but simply passing -Wno-error is more future proof.
See https://hydra.nixos.org/build/33274006/nixlog/1/raw
The following parameters are now available:
* hardeningDisable
To disable specific hardening flags
* hardeningEnable
To enable specific hardening flags
Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.
cc-wrapper supports the following flags:
* fortify
* stackprotector
* pie (disabled by default)
* pic
* strictoverflow
* format
* relro
* bindnow